Tombar · December 30, 2015 08:19
diff --git a/gistfile1.rb b/gistfile1.rb
 filter {

  ruby {

      code => "# ruby filter to parse and extract postdata multipart encoded into fields

        if event['postdata']['request_body'] =~ /Boundary/

          fields = event['postdata']['request_body'].gsub('x0Dx0Ax0Dx0A', '=')
            .gsub('Content-Disposition: form-data; name=', '')
            .gsub('x0Dx0A', '')
            .gsub('--', '')
            .gsub('x22', '')
            .split('Boundary+0xAbCdEfGbOuNdArY')

        else
          fields = event['postdata']['request_body'].split('&')
        end

        fields.each do |f|
          unless f.nil? or f.empty?
            tmp = f.split('=')
            event['postdata'][tmp[0]] = tmp[1]
          end
        end

      "
  }
  
 }
	filter {

	ruby {

	code => "# ruby filter to parse and extract postdata multipart encoded into fields

	if event['postdata']['request_body'] =~ /Boundary/

	fields = event['postdata']['request_body'].gsub('x0Dx0Ax0Dx0A', '=')
	.gsub('Content-Disposition: form-data; name=', '')
	.gsub('x0Dx0A', '')
	.gsub('--', '')
	.gsub('x22', '')
	.split('Boundary+0xAbCdEfGbOuNdArY')

	else
	fields = event['postdata']['request_body'].split('&')
	end

	fields.each do \|f\|
	unless f.nil? or f.empty?
	tmp = f.split('=')
	event['postdata'][tmp[0]] = tmp[1]
	end
	end

	"
	}

	}